Hi all, Thank you to Andrew, Dan, Brian and those who communicated off-list for your good ideas and analysis. Based on Brian's suggestion, I found a section on the EFF website on Medical Privacy: https://www.eff.org/issues/medical-privacy
I also found a section of HIPAA regulations that mandates encryption and other (inadequate?) technical safeguards for protected health information: http://www.hipaasurvivalguide.com/hipaa-regulations/164-312.php Some states are passing laws on the breach of online information; my state has a law that requires companies that have major breaches to inform their customers. A national health system was breached last month and the medical records of 4.5 million people were stolen. Think about that for a moment. http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/ It's unclear to me what the repercussions are to an organization that encrypts and is still hacked--it seems like the law is not settled in this area. But the ability of a patient to sue (for negligence?) seems like a promising incentive to spur health organizations to try to do the right thing--if not for the good of their patients, now and in the future. Not a lawyer, but feeling better informed, Katie ps: It's worth noting that the administrator I spoke to at the conference was indeed a doctor--a doctor dazzled by the cool "privacy is dead" folks he met at a cyber security agency and at a health insurance company--who seemed to be the experts. On Wed, Sep 24, 2014 at 3:26 AM, Brian Behlendorf <[email protected]> wrote: > On Tue, 23 Sep 2014, Kate Krauss wrote: > >> I was chatting with a health care administrator at a conference who is >> charged with rolling out a telehealth (read: Skype) clinical program for >> patients to communicate with doctors. >> > [...] > >> The health care administrator said that studies show that patients would >> rather get expedient care than protect their privacy if they have to choose. >> > [...] > >> I glimpsed a yawning abyss in which the private health information of >> hundreds of millions of people is in jeopardy because of clowns like this >> guy at large healthcare organizations across the country/world. It already >> is by neglect, but not yet by design. >> > > Usually the "privacy is dead" types are financially incented to believe > this due to ownership stakes in the surveillance industry, by which I also > include social media companies. I hope this person never comes down with a > venereal disease (especially one their partner didn't have), or a future > employer doesn't discover how expensive they'll be for the corporate health > plan. And in particular in your domain, AIDS policy work, there was a time > when not only was it ignored as a disease at all, but those fighting for it > to be recognized as a national health emergency were at risk of being > shamed or outed against their will. > > What's even more worrisome are comments like Larry Page's that 100k lives > could be saved if only Google could analyze everyone's health data: > > http://patientprivacyrights.org/2014/06/googles-larry- > page-wants-save-100000-lives-analyzing-healthcare-data/ > > I'm a believer in the idea of using data to gain insights (if researchers > can adequately correct for cognitive biases, which few can) but the risk of > re-identificaton or spilling of confidential information is still too damn > high for most. I suspect this is why Google struggled with their > personal-health-record platform, Google Health, because few people were > motivated to turn their patient records over to a company whose business > model is advertising. Microsoft seems to be having more success with > HealthVault, which is encouraging. > > Fortunately in the brief moment I spent focused on healthcare > (co-designing and launching HHS's "Direct Project" effort for > health-records-sharing over SMTP/TLS), I got the sense that this view is > not prevalent, that most practitioners understand the value of privacy, and > that if it's come at the cost of progress in health IT and easy transfer of > records between doctors and clinics, it's hard to say it's not been worth > it. Celebrity nude photos are one thing; celebrity (or non-) HIV test > results something completely else. Encryption at rest and in transit, > ensuring that patient records are only shared with the patients themselves > or licensed physicians, proper de-identification - those have not been > constraints on setting up effective health IT systems or sharing between > doctors and patients. It's more the legacy of broken systems and > silo-based thinking, compounded by the modern sense that "data is the new > oil" and therefore should be hoarded rather than shared. But those are > afflictions less of the practitioners and more of the health IT software > vendors themselves. > > I said: >> >> 1. What are your principles for securing patient data offline? What are >> the rights of the patient as a patient and as person? Figure those out in >> writing and then work to encrypt data and secure patient privacy so that >> those rights and principles are upheld. Even if it's difficult and >> expensive to do it. >> >> 2. I said that asking patients to choose was a false choice--they deserve >> good medical care and to keep their medical information private. At the >> same time. >> >> 3. I said that it's not acceptable to lower the standards for patients >> (this would be tens of thousands of patients in his case alone) just >> because they don't understand the implications of sharing their personal >> data. I said that he was in a position of great responsibility to protected >> patients and that he shouldn't give up without a fight. He was >> unconvinced--probably because it's cheaper and easier to ignore privacy >> concerns and he's under pressure to get the ball rolling. >> >> What would you say in this situation? >> > > If I'd had half the clarity as you did in saying what you said I would > have considered myself lucky. That was great. I suspect this > "administrator" wasn't actually a doctor bound to the Hippocratic oath > earlier in their career, but should have been. But absent the oath, I > might remind them of their duties under HIPAA and if you have skin in this > game you might want to talk to someone at HHS to look into this > administrator's operations. Perhaps he was scared by the paranoia-inducing > "security researchers" at this conference, but such warnings are just a > reminder to do his job, not abdicate responsibility for them. > > More specifically, compromising Skype at this point is a feature of > commercially-available products used by despotic regimes to surveil > activists in countries like Egypt, and likely has come down market to > organized crime at the very least. I don't know if that means the > encryption used in Skype would fail to be HIPAA-compliant - all encryption > schemes are breakable given enough horsepower - but the administrator may > want to consider the PR implications of a remote consultation between one > of their doctors and a celebrity getting posted to 4Chan. Tunnelling a > WebRTC-based conferencing like BigBlueButton over a VPN (maybe it supports > SSL natively now?) or using Jitsi or another similar trustworthy tool may > be a way to reduce that risk. > > Keep fighting the good fight on this. > > Brian > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: https://mailman.stanford.edu/ > mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change > password by emailing moderator at [email protected]. > >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
